the cloud-centric future of cybersecurity · user certification – ccsk building security best...
TRANSCRIPT
THE CLOUD-CENTRIC FUTURE OF CYBERSECURITY
Jim ReavisCEO, Cloud Security Alliance
ABOUT THE CLOUD SECURITY ALL IANCE
“To promote the use of best
practices for providing security
assurance within Cloud Computing,
and provide education on the uses
of Cloud Computing to help secure
all other forms of computing.”
CLOUD PROVIDER CERTIFICATION – CSA
STAR
WE SEE CLOUD AS THE FOUNDATION FOR
DIGITAL TRANSFORMATION!
USER CERTIFICATION – CCSK
BUILDING SECURITY BEST PRACTICES FOR
NEXT GENERATION IT
RESEARCH AND EDUCATIONAL PROGRAMS
GLOBAL, NOT-FOR-PROFIT ORGANIZATION
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
35+ACTIVE WORKING GROUPS
2009CSA FOUNDED
SINGAPORE // AS IA PACIF IC HEADQUARTERS
EDINBURGH // EMEA HEADQUARTERS (V IRTUAL)
SEATTLE/BELL INGHAM, WA // AMERICAS HEADQUARTERS
90,000+INDIV IDUAL MEMBERS
400+CORPORATE MEMBERS
80+CHAPTERS
Strategic partnerships
with governments,
research institutions,
professional
associations and
industry
CSA research is
FREE!
OUR COMMUNITY
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
EWho Belongs to CSA?
• World’s leading cloud providers
• Information security thought leaders
• Over 50 global financial services companies
• End users from finance, insurance, transportation,
energy, manufacturing, retail and many more
• Top system integrators and the Big 4
• IT bellwethers
• Leading companies in North America, Europe and Asia
• Trusted advisor to governments around the world
• Thank you China for your support and participation!
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
Looking to the future: Digital Transformation
of the Enterprise enabled by Cloud & IoT
• Massive increase in compute
• Cloud Computing is the back end
• Internet of Things is the endpoint
• Compute is Everywhere …
• But, you won’t know where Anything is…
• Devices, software, networks continuously
updated
• The enterprise is a virtual, software-defined
construct
• Existing security must transform to keep up
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
Security Megatrends for Digital
Transformation• Information security becomes Cybersecurity
• Not just information protection
• Safety and availability of critical infrastructure
• Airbus 380 is a big IoT device
• Security and Privacy work together
• Radical Automation required for scalability
• Artificial Intelligence is the brain
managing the digital enterprise
• Blockchain provides the trusted language &
rules: Worldwide Ledger of Trust
• Cloud & Autonomics orchestrate IoT (Fog)
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
Cybersecurity is the Critical Investment
• Protect the brand
• Stay compliant
• GDPR fines 20M Euros or 4% worldwide revenue
• Stay out of trouble
• Ransomware damage costs predicted to hit $11.5B by 2019 (source Cybersecurity Ventures)
• Unleash opportunities
• What new business is possible if you can be secure anywhere, anytime?
• But, cybersecurity needs to be “on demand”
to enable the agile digital enterprise…
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
How Cybersecurity is Delivered
• Continuous Encryption: reduce the
“plaintext” window of exposure
• Identify Mgt beyond the human to all
entities
• Software Defined Perimeter
• DevSecOps automates the Cloud-Native
Security
• AI/Machine learning to scale up
• Cloud becomes the dominant compute and
cybersecurity platform
• Secure enclaves, Trusted execution environments, Virtual Private Clouds
• Security as a Service
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
EToday: Understand the Cloud Security Focus
1. Layered Cloud Model
I N F R A S T R U C T U RE A S A S E R V I C E
P L A T F O R M A S A S E R V I C E
S O F T W A R E A S A S E R V I C E
Larger number
of vendors
For vetting
2. Shared Responsibility
3. Impact to Security
Program
Greater
technical
security control
implementation
responsibility
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
Case Study: Building a 100% Cloud-based
Bank
• Medium-sized bank
• Mission: “Bank in the Public Cloud”
• Combination legacy app migration and new cloud apps
• Introduced concept of “Virtual Enclaves”
• Implementation vetted by regulators
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
Bank high level implementation
• Implemented in AWS & Azure clouds “Virtual Enclave”
Architecture (Could have used other Cloud Providers)
• Key components
• CSP Virtual Private Clouds / SDN tools
• CSA Software Defined Perimeter (“Enclave Perimeters”)
• Hardware Security Module (HSM) for key access
• Multiple Availability Zones / DCs / Regions
• “Continuous Encryption” - shrink plaintext window
• “Immutable Containers” – virtually tamper proof (DevOps)
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
Bank High Level Implementation
Integrated Cloud Security and Architecture with SDPPerimeter Security
Strong User Authentication
Active Directory
WAF, F/W, IPS, IDS, DDoS
ForensicsPreservation
Ready Incident Response
ThreatMonitoring
Machine Learning, UBA
Resilient Operations
Continuous Encryption
Continuous Monitoring
Highly Granular Access Control
Governance, Risk and
ComplianceContinuous Compliance Monitoring
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
Strong hierarchical Admin security
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
Immutable Container Pipeline
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
Software Defined Perimeter
• Architecture for creating highly secure and trusted
end-to-end networks
• BYOD and Internet of Things
• Secure app-layer virtual private clouds
• Make network “dark” until entity is authenticated
• Create dynamic perimeters around clients,
applications and hosts
• Complementary to Software Defined Networks (SDN)
• https://cloudsecurityalliance.org/research/sdp
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
Software Defined Perimeter
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
E
Bank Lessons Learned
• Moving apps between AWS & Azure not seamless, “several
months to modify”
• No longer focus on Disaster Recovery
• Major Clouds “Cannot Fail”
• Focus on increasing resilience
• CSA’s Software Defined Perimeter key to successful
implementation
• Makes cloud infrastructure invisible
• Eliminates several threat vectors
• Immutable Containers – even Administrators cannot change
• Continuous deployment is the biggest improvement in software development security
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
EPrepare for the Future: Transform your
Knowledge
• Master the topics• Immutable Workload Design
• DevSecOps
• Containerization & Microservices
• CASB
• Control inheritance
• Software Designed Perimeter
• Much more!
• Certificate of Cloud Security Knowledge
(CCSK) can help• www.cloudsecurityalliance.org/education/ccsk/
CO
PY
RIG
HT
© 2
01
8 C
LO
UD
SE
CU
RIT
Y A
LLIA
NC
ECritical (and free) CSA Tools
• Security Guidance• Fundamental catalog of cloud security issues and best
practices
• https://cloudsecurityalliance.org/guidance
• Top Threats• Analysis of key threats and risks magnified by cloud
• https://cloudsecurityalliance.org/group/top-threats
• Cloud Controls Matrix (CCM)• Popular security controls framework
• https://cloudsecurityalliance.org/group/cloud-controls-matrix/
• Consensus Assessments Initiative Questionnaire• Cloud assessment tool based on CCM
• https://cloudsecurityalliance.org/ group/consensus-assessments/
• CSA Security, Trust & Assurance Registry• Repository of cloud provider security assertions
• https://cloudsecurityalliance.org/star
• GDPR Code of Conduct• Compliance tool for providers and customers
• https://gdpr.cloudsecurityalliance.org/
• Translations as available at www.c-csa.cn
COPYRIGHT © 2018 CLOUD SECURITY ALLIANCE
Active Research Working Groups
• BLOCKCHAIN/DISTRIBUTED LEDGER
• CLOUD CYBER INCIDENT SHARING
• CLOUD COMPONENT SPECIFICATIONS
• CLOUD CONTROLS MATRIX
• CLOUD SECURITY SERVICES MANAGEMENT
• CONSENSUS ASSESSMENTS
• CONTAINERS AND MICROSERVICES
• ENTERPRISE ARCHITECTURE
• ERP SECURITY
• FINANCIAL SERVICES
• INTERNET OF THINGS
• MOBILE
• OPEN CERTIFICATION
• PRIVACY LEVEL AGREEMENT
• QUANTUM-SAFE SECURITY
• SECURITY AS A SERVICE
• SECURITY GUIDANCE
• SOFTWARE DEFINED PERIMETER
• TOP THREATS
• TAKEDOWN (EC PROJECT)
• MAST (APAC) / STRATUS PROJECT
H T T P S : / / C L O U D S E C U R I T Y A L L I A N C E . O R G /21
Contact CSA
Email: [email protected]
Twitter: @Cloudsa
Site: www.cloudsecurityalliance.org
Thank You!